6 Replies Latest reply on Jul 5, 2002 2:24 PM by agaona

    Security Questions


      I have some security questions -

      I posted these to the mailing list, I haven't received an answer yet, so I figured I'd try the forums as well.

      If I log into a web application, with FORM based authentication, and then go to another context, should I have to log in again?

      I'd like to be able to deploy a bunch of WARS, and have any of them be able to authenticate for that session. Then have all the applications logged in. Does this require anything special to be setup in web.xml?

      (Servlet Specification Section 11.6 seems to indicate that the authentication is relevant to a container, not an application)

      Thanks for anyone's help in this regards,

      Okay, I am trying to write a very small application that tests logging into a web page using form based security and the database class.

      The security context seems to work, as I get a login page. However, no matter what I enter, I am allowed in.

      Here are the relevant pieces of code, as far as I can tell:


      My WAR file's structure looks like this:


      My WEB.XML contains:

      Security Constraint


      <realm-name>DG</realm-name> <--- Why does this have to be here? According to the
      <form-login-config> spec, realm-name is only for BASIC authentication,
      <form-login-page>login.jsp</form-login-page> but jboss throws up without it.



      My login-config.xml reads:

      <!-- The XML based JAAS login configuration read by the
      org.jboss.security.auth.login.XMLLoginConfig mbean. Add
      an application-policy element for each security domain.

      The outline of the application-policy is:
      <application-policy name="security-domain-name">

      <login-module code="login.module1.class.name" flag="control_flag">
      <module-option name = "option1-name">option1-value</module-option>
      <module-option name = "option2-name">option2-value</module-option>

      <login-module code="login.module2.class.name" flag="control_flag">


      $Revision: $

      <!-- Used by clients within the application server VM such as
      mbeans and servlets that access EJBs.
      <application-policy name = "client-login">

      <login-module code = "org.jboss.security.ClientLoginModule"
      flag = "required">


      <!-- Security domain for JBossMQ -->
      <application-policy name = "jbossmq">

      <login-module code = "org.jboss.mq.sm.file.DynamicLoginModule"
      flag = "required">
      <module-option name = "unauthenticatedIdentity">guest</module-option>
      <module-option name = "sm.objectnam">jboss.mq:service=StateManager</module-option>


      <!-- Security domains for testing new jca framework -->
      <application-policy name = "HsqlDbRealm">

      <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
      flag = "required">
      <module-option name = "principal">sa</module-option>
      <module-option name = "userName">sa</module-option>
      <module-option name = "password"></module-option>
      <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=hsqldbDS</module-option>


      <application-policy name = "FirebirdDBRealm">

      <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
      flag = "required">
      <module-option name = "principal">sysdba</module-option>
      <module-option name = "userName">sysdba</module-option>
      <module-option name = "password">masterkey</module-option>
      <module-option name = "managedConnectionFactoryName">jboss.jca:service=XaTxCM,name=FirebirdDS</module-option>


      <application-policy name = "JmsXARealm">

      <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
      flag = "required">
      <module-option name = "principal">guest</module-option>
      <module-option name = "userName">guest</module-option>
      <module-option name = "password">guest</module-option>
      <module-option name = "managedConnectionFactoryName">jboss.jca:service=XaTxCM,name=jmsra</module-option>


      <!-- The default login configuration used by any security domain that
      does not have a application-policy entry with a matching name
      <application-policy name = "other">
      <!-- A simple server login module, which can be used when the number
      of users is relatively small. It uses two properties files:
      users.properties, which holds users (key) and their password (value).
      roles.properties, which holds users (key) and a comma-separated list of
      their roles (value).
      The unauthenticatedIdentity property defines the name of the principal
      that will be used when a null username and password are presented as is
      the case for an unuathenticated web client or MDB. If you want to
      allow such users to be authenticated add the property, e.g.,

      <!--login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
      flag = "required" /-->
      <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
      <module-option name="dsJndiName">java:/DefaultDS</module-option>
      <module-option name="principalsQuery">select user_password from users where user_email = ?</module-option>
      <module-option name="rolesQuery">
      SELECT ROLE_NAME, 'Roles'
      ROLES r,
      USERS u,
      USER_ROLES ur,
      u.user_email = ? AND
      u.user_id = ur.user_id AND
      ur.role_id = drr.role_id_source AND
      r.role_id = drr.role_id_destination



      My server.log shows this when I tried logging in using the following info:
      username = blah
      password = thisshouldntwork

      2002-06-26 10:03:59,210 INFO [org.jboss.jetty.Jetty] JSP: init
      2002-06-26 10:04:04,717 DEBUG [org.jboss.jetty.security.JBossUserRealm#dg] JBossUserPrincipal: blah
      2002-06-26 10:04:04,727 DEBUG [org.jboss.jetty.security.JBossUserRealm#dg] created JBossUserRealm::JBossUserPrincipal: blah
      2002-06-26 10:04:04,727 DEBUG [org.jboss.jetty.security.JBossUserRealm#dg] authenticating: Name:blah Password:****
      2002-06-26 10:04:04,727 DEBUG [org.jboss.jetty.security.JBossUserRealm#dg] authenticated: blah
      2002-06-26 10:04:04,727 DEBUG [org.jboss.jetty.security.JBossUserRealm#dg] setting JAAS subjectAttributeName(j_subject) : null
      2002-06-26 10:04:04,747 DEBUG [org.jboss.jetty.security.JBossUserRealm#dg] authenticating: Name:blah Password:****
      2002-06-26 10:04:04,747 DEBUG [org.jboss.jetty.security.JBossUserRealm#dg] authenticated: blah
      2002-06-26 10:04:04,747 DEBUG [org.jboss.jetty.security.JBossUserRealm#dg] JBossUserPrincipal: blah is in Role: DG
      2002-06-26 10:04:05,879 INFO [org.jboss.jetty.Jetty] JSP: init

      The user blah doesn't exist in the database.


      Any other info I'll be happy to provide. I'm very confused as to why this isn't working, and have spent about 2 days on it so far.



        • 1. Re: Security Questions

          Is anyone out there able to help me with what is wrong with my configuration?

          I've tried reading the getting started manual, I have the JBoss 2.4.5 hard print manual, and I'm still very lost as to why this isn't working.

          Thanks to anyone that can help,


          • 2. Re: Security Questions

            Hi Alan,

            Did you ever sort this out, I am having exactly the same problem and from the documentation available (free and paid) came up with prety much the same configuration.

            Has anybody got this working?


            • 3. Re: Security Questions


              for an answer to Q1, see:
              http://www.jboss.org/modules/bb/index.html?module=bb&op=viewtopic&t=forums/ can't help with Q2, sorry


              • 4. Re: Security Questions


                Got Q2 working by adding the following "jboss-web.xml" file to WEB-INF directory.


                and adding the following to the login-conf.xml file

                <application-policy name = "testDomain">

                <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
                <module-option name = "dsJndiName">java:/OracleDS</module-option>
                <module-option name = "principalsQuery">select passwd from jboss_users where userid = ?</module-option>
                <module-option name = "rolesQuery">select role, rolegroup from jboss_roles where userid = ?</module-option>


                Slight problem with roles now but leave that for another day!

                Hope this helps


                • 5. Re: Security Questions

                  Very good. I'll check on that with my applicaitons and see if I can get Q2 working here! :) Thanks alot!

                  As for Q1, that would work if I was using Tomcat. I'm using the normal distribution with Jetty however...


                  Maybe as a side effect of Q2, it will start working. We'll see! ;)


                  • 6. Re: Security Questions

                    I did SUCCESFULLY operate security using your hint. I made some changes to the suggested queries, since I prefer a many-to-many relationship between users and roles instead of the suggested one-to-many. I had a little problem with the roles but if was no difficult to solve it having a look into the source code (http://www.thecortex.net/clover/eg/jboss/report/org/jboss/security/auth/spi/DatabaseServerLoginModule.html). To avoid bothering you with the details I changed the second query to 'select role, null from jboss_roles where userid = ?'. This got the security working ON CATALINA. Hope Drakmir has the same results under Yetti.